The PSR’s new fraud refund rules: A step forward, but is it enough?

by Anastasia Sakharova, Head of Fintech Compliance, Sumsub

Share this post

What is this article about?

New UK regulations requiring payment firms to refund fraud victims up to £85,000 within five days

Why is it important?

It aims to protect consumers from authorised push payment (APP) fraud but raises concerns about the adequacy of protection for larger fraud cases.

What’s next?

Financial institutions must adopt AI-driven solutions and collaborate closely to proactively combat evolving fraud threats.

As of October 7, all UK payment firms making use of the faster payment system (FPS) are required to refund fraud victims up to £85,000 within five days under new rules set by the Payment Systems Regulator (PSR).

While this marks a significant step toward protecting consumers from authorised push payment (APP) fraud, concerns remain that the reduced compensation cap may leave some victims vulnerable. Further, it is unclear whether the rules address the complexities and evolving fraud tactics. As fraud continues to rise, especially with the emergence of AI-powered scams, is this new regulation enough to tackle the ever-evolving threat of financial fraud?

APP fraud: A growing crisis

APP fraud is increasingly prevalent because scammers exploit trust between victims and entities posing as legitimate service providers, making them difficult to detect. According to the Payment Systems Regulator (PSR), the volume of APP fraud cases rose by 12% last year. This increase was driven by fraudsters leveraging sophisticated techniques, such as fraud networks, phishing scams and AI-generated deepfakes, to trick victims into authorising payments.

One key factor behind this rise was the greater accessibility of technology that fraudsters can use to mimic legitimate businesses or individuals, often using social engineering tactics. As scams become more advanced, even the most cautious consumers are falling victim.

Benefits vs. concerns of the new regulations

The PSR’s new rules are a critical step in addressing this crisis. However, the decision to cap refunds at £85,000—down from an earlier proposal of £415,000—has sparked debate with various concerns. While users can still request refunds for amounts above the cap, this process may be more complex, raising questions about the adequacy of protection for victims of large-scale fraud.

Although this new cap will cover more than 99% of claims, consumer advocacy groups, such as Which?, argue that the lower cap may reduce the financial industry’s incentive to prevent fraud. Furthermore, the reduced compensation could result in banks taking a more lax approach to fraud prevention and leaving victims in the lurch, assuming they will be covered.

Mitigating APP fraud

While refunds provide some level of protection for individuals, they are perceived as a constant burden for financial institutions. Moreover, many businesses lack the adequate technology to combat the growing sophistication of fraud tactics.

In one recent case, a UK businessman and Revolut user lost £165,000 to fraud when scammers bypassed security measures and gained access to his Revolut business account, authorising hundreds of transactions in just an hour. Avoiding common fraud schemes requires vigilance and awareness from individuals, too. They must be cautious with unsolicited payment requests, verify the legitimacy of invoices or purchase requests, and remain mindful of sharing personal or financial information so easily.

Regarding businesses, recent data revealed a 245% year-over-year increase in deepfake fraud cases globally, highlighting the need for more robust fraud prevention measures. The key is to stay one step ahead of fraudsters by adopting AI-driven solutions that can detect anomalies in user behaviour and identify fraud patterns as they emerge. As the financial industry becomes increasingly digital, the threat landscape will continue to evolve. A reactive approach to fraud is no longer sufficient; financial institutions must proactively monitor and defend against emerging threats.

AI is a double-edged sword in fraud prevention. While fraudsters use it to create deepfakes and manipulate unsuspecting victims, financial institutions can also harness AI to combat these threats. The PSR’s new fraud refund rules are undoubtedly a step forward in protecting consumers from APP fraud’s financial and emotional devastation; however, more needs to be done. To effectively mitigate and detect APP fraud, financial institutions should adopt a multi-layered strategy to fight AI with AI.

In addition to screening out seemingly malicious actors during know-your-customer (KYC) and anti-money laundering (AML) checks, banks and payments companies can employ machine learning models for pattern recognition and anomaly detection to identify unusual transaction behaviour post-onboarding, such as large transfers to new payees. Transaction history analysis can help spot deviations from typical behaviour, like sudden payments to foreign accounts or newly added recipients.

Additionally, behavioural biometrics can detect fraud by monitoring user actions like typing speed or mouse movements for signs of coercion. AI-based fraud scoring, geo-location monitoring, and implementing multi-factor authentication (MFA) can further enhance real-time fraud detection and prevention.

Collaboration is key

One of the most promising aspects of the PSR’s new rules is the provision that banks can claim back half of the refunded amount from the financial institution where the fraudster’s account was held. This “game-changing” rule could encourage banks to collaborate more closely to shut down fraudulent accounts quickly and prevent future scams. By incentivising both parties to act swiftly, the financial industry may be able to stem the rising tide of fraud.

However, this alone won’t solve the problem. Collaboration between regulators, financial institutions, and expert fraud prevention companies is essential to create a more secure financial ecosystem. Platforms at the forefront of this effort must be ‘in the room,’ working closely with both policymakers and businesses. Together, they can shape legislation that accurately reflects the threats posed by AI-driven fraud, ensuring that both consumers and businesses are better protected.

Facebook
Twitter
LinkedIn

Read more Payments Intelligence

More To Explore

Membership

Merchant Community Membership

Are you a member of The Payments Association?

Member benefits include free tickets, discounts to more tickets, elevated brand visibility and more. Sign in to book tickets and find out more.

Welcome

Log in to access complimentary passes or discounts and access exclusive content as part of your membership. An auto-login link will be sent directly to your email.

Continue reading

UK payment firms must refund fraud victims up to £85,000 in five days under new PSR regulations. Join The Payments Association to read the full article.

Become a member to continue reading

Member of The Payments Association? Log in to continue reading

Having trouble signing?

We use an auto-login link to ensure optimum security for your members hub. Simply enter your professional work e-mail address into the input area and you’ll receive a link to directly access your account.

First things first

Have you set up your Member account yet? If not, click here to do so.

Still not receiving your auto-login link?

Instead of using passwords, we e-mail you a link to log in to the site. This allows us to automatically verify you and apply member benefits based on your e-mail domain name.

Please click the button below which relates to the issue you’re having.

I didn't receive an e-mail

Tip: Check your spam

Sometimes our e-mails end up in spam. Make sure to check your spam folder for e-mails from The Payments Association

Tip: Check “other” tabs

Most modern e-mail clients now separate e-mails into different tabs. For example, Outlook has an “Other” tab, and Gmail has tabs for different types of e-mails, such as promotional.

Tip: Click the link within 60 minutes

For security reasons the link will expire after 60 minutes. Try submitting the login form again and wait a few seconds for the e-mail to arrive.

Tip: Only click once

The link will only work one time – once it’s been clicked, the link won’t log you in again. Instead, you’ll need to go back to the login screen and generate a new link.

Tip: Delete old login e-mails

Make sure you’re clicking the link on the most recent e-mail that’s been sent to you. We recommend deleting the e-mail once you’ve clicked the link.

Tip: Check your security policies

Some security systems will automatically click on links in e-mails to check for phishing, malware, viruses and other malicious threats. If these have been clicked, it won’t work when you try to click on the link.

Need to change your e-mail address?

For security reasons, e-mail address changes can only be complete by your Member Engagement Manager. Please contact the team directly for further help.

Still got a question?